Shellshock Vulnerability: Flaws, Changes Required, and Prevention Methods
Added on 2022-11-13
9 Pages2094 Words307 Views
|
|
|
Secure Programming
Name of the Student
Name of the University
Date of submission
Name of the Student
Name of the University
Date of submission
Your Last Name 2
Vulnerabilities in open source have been a common incident event has much software is
rolled out in the market place despite the usual saying that Open source software is secure than
propriety software since many hands are involved in making changes to it. Of recent, open
source software has been reported to have a had a bug few of which are not limited to the
following: Heartbleed, shellshock, drupageddon. This report will discuss Shellshock
vulnerability in details outlining the flaws involved in the programming, the changes that would
make the code safe, why the bugs may have existed for long and the methods to prevent future
instances of bugs.
Shellshock bug takes advantage of the common execution of the unit command in bash
that enables the potential hacker to control and execute codes into the target computer system
remotely. This bug does not necessarily allow hackers to steal information from the computer but
rather enables them to have access and control to other computer systems on the network.1
Shellshock vulnerability as many would refer to as ‘Bash bug' is a vulnerability that is as
a result of a flaw in the security of programming. This is always found in command lines of
several operating systems running on Linux or UNIX or its distribution. The command line is
called bash. The programming security bug causes bash to execute or run commands variables in
the environment unintentionally. The bug allows an attacker to issue command remotely on a
server in the process of remote code executions. The attacker can also send the command to the
target hardware without authorization or administrative access permissions. In addition to giving
commands to the target devices and servers, malware may be planted on the systems, thereby
affecting the whole functioning of the system. Many web servers, network, and internet services
1 Pittenger, Mike. "Know your open source code." Network Security 2016, no. 5 (2016): 11-15.
Vulnerabilities in open source have been a common incident event has much software is
rolled out in the market place despite the usual saying that Open source software is secure than
propriety software since many hands are involved in making changes to it. Of recent, open
source software has been reported to have a had a bug few of which are not limited to the
following: Heartbleed, shellshock, drupageddon. This report will discuss Shellshock
vulnerability in details outlining the flaws involved in the programming, the changes that would
make the code safe, why the bugs may have existed for long and the methods to prevent future
instances of bugs.
Shellshock bug takes advantage of the common execution of the unit command in bash
that enables the potential hacker to control and execute codes into the target computer system
remotely. This bug does not necessarily allow hackers to steal information from the computer but
rather enables them to have access and control to other computer systems on the network.1
Shellshock vulnerability as many would refer to as ‘Bash bug' is a vulnerability that is as
a result of a flaw in the security of programming. This is always found in command lines of
several operating systems running on Linux or UNIX or its distribution. The command line is
called bash. The programming security bug causes bash to execute or run commands variables in
the environment unintentionally. The bug allows an attacker to issue command remotely on a
server in the process of remote code executions. The attacker can also send the command to the
target hardware without authorization or administrative access permissions. In addition to giving
commands to the target devices and servers, malware may be planted on the systems, thereby
affecting the whole functioning of the system. Many web servers, network, and internet services
1 Pittenger, Mike. "Know your open source code." Network Security 2016, no. 5 (2016): 11-15.
Your Last Name 3
use environment variables for communication with other operating systems servers. Since
this environment variable is not sterilized and/or disinfected properly by bash tool, this gives an
attacker an opportunity to send a command through HTTP requests to the server, and it gets
executed to them by the server operating system. 2
Changes required to make the code safe
Protecting your software code against illegal copying and infringements should be the top
priority of all, but this is not the case with open source software. This platform allows as many
developers to contribute to the development and testing of the software in order to reduce the
bugs. Changes that should be made on the code to make it safe are discussed below.
Identification of Open Source Code used. A critical analysis needs to be done by
gathering information about the list of what components is in use within the open source
software. This might be done through automated scanning tools for codes that list components
and versions contained in an application. This will help to evaluate the basis of the code.3
Understand the impact of open source licenses. Security in open source software is
guaranteed to be safer than propriety software. This is not the case as security is more than just
identifying and remediating vulnerabilities. There is a need to determine what license apply to
2 Sestito, Guilherme Serpa, Afonso Celso Turcato, Andre Luis Dias, Rogerio Andrade Flauzino,
and Dennis Brandao. "Detection of Anomalies Related to the Operation of the Profinet Network
Through Feature Extraction and Classification." IEEE Latin America Transactions 16, no. 7
(2018): 1855-1861.
3 Shetty, Rushank, Kim-Kwang Raymond Choo, and Robert Kaufman. "Shellshock vulnerability
exploitation and mitigation: a demonstration." In International Conference on Applications and
Techniques in Cyber Security and Intelligence, pp. 338-350. Edizioni della Normale, Cham,
2017.
use environment variables for communication with other operating systems servers. Since
this environment variable is not sterilized and/or disinfected properly by bash tool, this gives an
attacker an opportunity to send a command through HTTP requests to the server, and it gets
executed to them by the server operating system. 2
Changes required to make the code safe
Protecting your software code against illegal copying and infringements should be the top
priority of all, but this is not the case with open source software. This platform allows as many
developers to contribute to the development and testing of the software in order to reduce the
bugs. Changes that should be made on the code to make it safe are discussed below.
Identification of Open Source Code used. A critical analysis needs to be done by
gathering information about the list of what components is in use within the open source
software. This might be done through automated scanning tools for codes that list components
and versions contained in an application. This will help to evaluate the basis of the code.3
Understand the impact of open source licenses. Security in open source software is
guaranteed to be safer than propriety software. This is not the case as security is more than just
identifying and remediating vulnerabilities. There is a need to determine what license apply to
2 Sestito, Guilherme Serpa, Afonso Celso Turcato, Andre Luis Dias, Rogerio Andrade Flauzino,
and Dennis Brandao. "Detection of Anomalies Related to the Operation of the Profinet Network
Through Feature Extraction and Classification." IEEE Latin America Transactions 16, no. 7
(2018): 1855-1861.
3 Shetty, Rushank, Kim-Kwang Raymond Choo, and Robert Kaufman. "Shellshock vulnerability
exploitation and mitigation: a demonstration." In International Conference on Applications and
Techniques in Cyber Security and Intelligence, pp. 338-350. Edizioni della Normale, Cham,
2017.
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents